Microsoft Purview · Global & Security Roles

Compliance Administrator

Comprehensive Entra ID role with broad permissions across Microsoft Purview compliance features including DLP, retention, sensitivity labels, eDiscovery, and compliance management.

Scope: Organization-wide Microsoft Entra ID role with access to most Purview compliance features (excludes device management and Content Explorer)

Permissions

  • Retention Policies - Manage retention policies and labels across all Microsoft 365 workloads (Exchange, SharePoint, OneDrive, Teams, Copilot)
  • DLP Policies - Configure DLP policies across cloud apps, endpoints, on-premises repositories, and Exchange
  • Sensitivity Labels - Create and manage sensitivity labels and auto-labeling policies
  • Compliance Manager - Access Compliance Manager and manage assessments, improvement actions, and compliance scores
  • Information Barriers - Configure information barriers policies and organizational segments
  • Classifiers - Manage trainable classifiers, exact data match (EDM), and sensitive information types
  • Reports - View and export compliance reports, audit logs, and analytics dashboards
  • eDiscovery Standard - Manage eDiscovery (Standard) cases: search, hold, export mailboxes, sites, and Teams
  • Communication Compliance - Configure communication compliance policies and review alerts (view-only on messages)
  • Insider Risk - Manage insider risk management policies and review alerts (view-only on content)
  • Records Management - Configure records management labels, file plan, and disposition workflows
  • Alert Policies - Manage alert policies, activity alerts, and compliance notifications
  • Activity Explorer - Access Activity Explorer for user activity monitoring (list view only)
  • Adaptive Scopes - Manage adaptive scopes for dynamic policy targeting
  • Copilot Retention - Configure retention for Microsoft 365 Copilot interactions and AI-generated content
  • Administrative Units - Manage administrative units for scoped retention and DLP policies

Common use cases

  • Chief Compliance Officer or Compliance Manager with broad oversight responsibilities
  • Organizations needing a single Entra ID role for general compliance management across all Purview solutions
  • Smaller compliance teams where one person handles DLP, retention, sensitivity labels, and eDiscovery
  • Compliance consultants implementing comprehensive compliance programs for clients
  • Mid-sized organizations without specialized compliance roles (e.g., separate DLP and retention admins)
  • Managing regulatory compliance for GDPR, HIPAA, SOX, SEC, FINRA, CCPA, FERPA
  • Configuring organization-wide data protection and governance policies
  • Coordinating compliance initiatives across legal, IT, and business stakeholder groups

Best practices

  • Use this role for senior compliance staff managing overall compliance program
  • Consider using more specific roles (DLP Compliance Management, Retention Management) for team members with narrower responsibilities
  • Implement change management and peer review processes for critical policy modifications
  • Conduct regular compliance posture reviews using Compliance Manager assessments
  • Coordinate with security team on overlapping controls (DLP, insider risk, information protection)
  • Document policy decisions and regulatory basis in Compliance Manager improvement actions
  • Test policies with pilot groups before organization-wide deployment
  • Use administrative units to delegate compliance management for specific regions or business units
  • Schedule quarterly reviews of retention labels, DLP policies, and sensitivity labels
  • Maintain separation of duties: assign eDiscovery Manager to legal team, not compliance admins
  • Use adaptive scopes for dynamic policy targeting based on user attributes or department
  • Enable auditing for all compliance policy changes and review logs monthly

Security considerations

  • Broad access to compliance controls - monitor activities closely with audit logs
  • Changes to DLP or retention can impact entire organization - test thoroughly before deployment
  • Should NOT have IT admin rights (Exchange Admin, SharePoint Admin) to maintain separation of duties
  • Consider using Privileged Identity Management (PIM) for just-in-time activation
  • Cannot access Content Explorer (requires Compliance Data Administrator for sensitive content viewing)
  • Cannot manage device compliance policies (requires Compliance Data Administrator)
  • eDiscovery permissions limited to Standard tier - use eDiscovery Manager for Premium capabilities
  • Assign sparingly - only to trusted compliance professionals with proven judgment
  • Review role assignments quarterly and remove inactive or unnecessary assignments
  • Combine with MFA and conditional access policies for elevated protection

Common questions

When should I assign the Compliance Administrator role?

Assign Compliance Administrator when you need to: Chief Compliance Officer or Compliance Manager with broad oversight responsibilities; Organizations needing a single Entra ID role for general compliance management across all Purview solutions; Smaller compliance teams where one person handles DLP, retention, sensitivity labels, and eDiscovery; Compliance consultants implementing comprehensive compliance programs for clients; and Mid-sized organizations without specialized compliance roles (e.g., separate DLP and retention admins). It is part of Microsoft Purview and should be granted as a least-privilege alternative to broader roles like Global Administrator.

What can someone with the Compliance Administrator role do?

The Compliance Administrator role grants permissions including: Retention Policies - Manage retention policies and labels across all Microsoft 365 workloads (Exchange, SharePoint, OneDrive, Teams, Copilot); DLP Policies - Configure DLP policies across cloud apps, endpoints, on-premises repositories, and Exchange; Sensitivity Labels - Create and manage sensitivity labels and auto-labeling policies; Compliance Manager - Access Compliance Manager and manage assessments, improvement actions, and compliance scores; Information Barriers - Configure information barriers policies and organizational segments; and Classifiers - Manage trainable classifiers, exact data match (EDM), and sensitive information types. See the Permissions section above for the full list.

What are the security risks of the Compliance Administrator role?

Key considerations when assigning Compliance Administrator: Broad access to compliance controls - monitor activities closely with audit logs; Changes to DLP or retention can impact entire organization - test thoroughly before deployment; Should NOT have IT admin rights (Exchange Admin, SharePoint Admin) to maintain separation of duties; and Consider using Privileged Identity Management (PIM) for just-in-time activation. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.

Official Microsoft Learn documentation →

Open the interactive RBACMap →